If an attack occurs, the threat should be located and eliminated as soon as feasible. You can lower the risk to your company by adding strategic monitoring, incident response, and threat intelligence into corporate forensic investigations.
In this issue, we prepare articles that help you find the right solution for your own business or the company you work for. I hope you enjoy reading them as much as I enjoy working on them. I would like to thank all the authors for their great work, attitude, and professionalism. Without them, my editor’s world would be hard.
We would like to express our gratitude to our experts, reviewers, and proofreaders who contributed to this publication and invite others to cooperate with our magazine.
Ewa & eForensics Magazine Team
TABLE OF CONTENTS
Reviewing App Data with iOS Forensic Acquisitions
by Amber Schroader
After a device is acquired, the next step in the forensic process is the review of the data. The review stage can vary depending on the tool that is being used. Some tools that might be stronger with acquisition might be poor in their analysis of the data. Always evaluate and validate your tool prior to using it in a forensic investigation. When you review data with an iOS device, the information can be broken into either default apps or third-party apps. Most of the time spent on a smartphone is spent inside apps. In this article, Amber describes why understanding both types of apps that can be on a device is critical.
Forensic Analysis of Ransomwares for Binary Extraction of Cryptographic Keys
by Cleber Soares, Deivison Franco, and Joas dos Santos
Ransomware is a type of malware that prevents access to the infected system by blocking and encrypting files, charging ransom to recover them for payment with cryptocurrencies, which makes it impossible to identify and trace the criminal. Once a system is infected, the malware encrypts the user's data in the background, without it noticing, and when ready, it issues a "pop-up" stating that the machine is locked, and that the user will no longer be able to use it unless it pays the amount needed to get back the key that gives access to the data. The authors, in their article, aim to show the possibility of recovering the cryptographic key of files encrypted by ransomware through the extraction and binary analysis of memory dump.
The Importance of Corporate Forensics Readiness or Internet of Things Forensic Investigations
by Rhonda Johnson
Internet of Things, or IoT, Forensics is a subfield of Digital Forensics that refers to the application of digital forensic procedures in an IoT ecosystem (Ahmed et. al. 2022). As the number of IoT devices begins to grow exponentially, one can expect more criminal investigations to involve the forensic analysis of corporate IoT environments. However, the vast diversity of devices and platforms, security, and forensic challenges make evidence extraction from IoT difficult. Corporations must make sure that their organizations are aware of the unique challenges of IoT forensics and that IT professionals can comply with IoT forensic analysis needs in the case of a criminal investigation. In the article, Rhonda describes the importance of digital forensics investigations.
Remote Evidence Search & Collection: An Introduction to Velociraptor
by Gerard Johansen
Enterprise-wide security incidents present several challenges to digital forensic analysts, such as finding the key artifacts in a sea of binaries and files. Overcoming this challenge necessitates the use of Endpoint Detection and Response tools that combine the functionality of antivirus with the ability to conduct incident investigations at the enterprise scale. In this article, Gerard Johansen, digital forensic specialist, will introduce the open-source tool Velociraptor and how this powerful tool can be leveraged to meet two of the challenges of enterprise response.
Malware in the Sky with Diamonds
by Israel Torres
There were plenty of advanced technological mechanisms to gather and share information better and faster, but let’s fast-forward to today, as those were the days before Internet-based search engines and way before the fancy SIEM platforms. In this article, Israel presents a segue into the concept of searching for something you are pretty sure is there amid billions of bits and bytes of chaos - somewhere perhaps hides the pattern you seek. You will learn that VirusTotal isn’t just for malware.
Social Media Investigation
by Jeff Minakata
Social media continues to become not only a mainstream way for people to communicate, but also in how they obtain news and information. Social media is also a way that misinformation, propaganda, stalking, scams and other unfortunate activities can take place. If you are a red teamer, security professional, OSINT investigator, or simply looking to reduce your attack surface, Jeff, in his article, focuses on those areas by looking at social media from a reconnaissance point of view.
The Lockbit 3 Black Forensics Analysis (Part I)
by Paulo Pereira, PhD
LockBit 3.0 represents a class of Ransomware as a Service and has increased the attack surface. Paulo, in his article, describes how to use a virtual environment to test LockBit version 3.0, also known as Black ransomware. The REMnux Linux platform will be used to get file information and open the executable files in Ghidra and text in Visual Studio. The victim will be represented by a Windows 10 virtual host, created to receive the files. In the first part, the author will focus on LockBit 3.0 (Black) forensics file analysis.
Windows Memory Analysis
by Ricardo Alves da Silva
In his article, Ricardo discusses memory analysis and identifies suspicious processes that may indicate the execution of malware and possible machine compromise. He also refers to the Volatility Framework, a powerful tool developed for memory analysis with several plugins that help us identify and collect artifacts contained in memory.
How to Filter, Analyse, Investigate, and Report on Acquired Evidence using FTK
by Jon Cook
In a world where ISO 17025 has become a requirement for the operation of Digital Forensic Investigations, the choice of tools has never been so important. The use of robust, reliable and repeatable processes is the key to success. Accreditation involves considerable investment, the need to make the right choice for the workflow is now critical to ensuring that investment isn’t wasted. The choice of a software tool, capable of extracting present and deleted data alike to recover all items of interest, ensures investigators are able to paint as full a picture as possible when analyzing a case. Read Jon’s article and find out how to filter, analyse, investigate, and report on acquired evidence.
Interview With Jon Cook
by Ewa & eForensics Team
In this interview, you will read about Jon Cook, who is a technical trainer for Exterro. Much of his role involves supporting users of the FTK suite. That help is extended from brand-new customers, right the way through the seasoned users who are looking to brush up on their knowledge or get up to date with the latest features. Our interview with Jon will introduce you to him.